[pve-devel] [PATCH] do not open forward tunnel on insecure migrations

[Thomas Lamprecht]

Restore previous behaviour and do not request a forward tunnel on
insecure migrations.

For the migrations of all kind this has no direct impact, they all
worked, but an port to much requested from an limited pool is still
not ideal. Also an open tunnel, if not needed.

This is a light regression introduced from commit 1c9d54b.

Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
 PVE/QemuMigrate.pm | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/PVE/QemuMigrate.pm b/PVE/QemuMigrate.pm
index baf7364..7b9506f 100644
--- a/PVE/QemuMigrate.pm
+++ b/PVE/QemuMigrate.pm
@@ -91,7 +91,7 @@ sub finish_command_pipe {
 sub fork_tunnel {
     my ($self, $tunnel_addr) = @_;
 
-    my @localtunnelinfo = ('-L' , $tunnel_addr );
+    my @localtunnelinfo = defined($tunnel_addr) ? ('-L' , $tunnel_addr ) : ();
 
     my $cmd = [@{$self->{rem_ssh}}, '-o ExitOnForwardFailure=yes', @localtunnelinfo, 'qm', 'mtunnel' ];
 
@@ -439,11 +439,15 @@ sub phase2 {
 	    }
 
 	} elsif ($ruri =~ /^tcp:/) {
-	    # for backwards compatibility with older qemu-server versions
-	    my $pfamily = PVE::Tools::get_host_address_family($nodename);
-	    my $lport = PVE::Tools::next_migrate_port($pfamily);
+	    my $tunnel_addr;
+	    if ($raddr eq "localhost") {
+		# for backwards compatibility with older qemu-server versions
+		my $pfamily = PVE::Tools::get_host_address_family($nodename);
+		my $lport = PVE::Tools::next_migrate_port($pfamily);
+		$tunnel_addr = "$lport:localhost:$rport";
+	    }
 
-	    $self->{tunnel} = $self->fork_tunnel("$lport:localhost:$rport");
+	    $self->{tunnel} = $self->fork_tunnel($tunnel_addr);
 
 	} else {
 	    die "unsupported protocol in migration URI: $ruri\n";
-- 
2.1.4